Phishing emails are a well-known and mostly annoying daily reality for most of us. Most companies have email security protections in place, and most of the phishing attempts are obvious and easy to avoid. These “scatter shot” or “spray-and-pray” attacks rely on sending a high volume of generic emails to catch a few bites from gullible targets.
However, spear phishing is different. It’s more difficult to identify and potentially more damaging to your company. It requires some up-front homework on the part of the scammer, but results in a much higher success rate and a higher return on that investment. The hacker’s intent is to earn the trust of the recipient by making their target believe they’re communicating with a trusted colleague or even a family member. This allows them to increase the probability of getting a “click” that leads to malware, or permits them to directly scam the victim for funds, gift cards or information.
Trend Micro reports that an incredible 91% of cyber attacks and the resulting data breach begin with a spear phishing email.
noun: spear phishing
- The fraudulent practice of sending emails ostensibly from a known or trusted sender in order to induce targeted individuals to reveal confidential information.
How do they do it?
Step One: Research
Where do spear phishers get the information they need to appear legitimate? It’s easy to gather a surprising amount of information from common public sources:
- LinkedIn is a great tool but is a rich resource of the names, responsibilities and contact information within your company. Your website often lists senior names and positions.
- Other social media sources make it easy to identify when individuals go on vacations or change a job. It also allows hackers to build a profile of the victim’s life, work and interests and may include information about the victim’s friends and family.
- Emails may be harvested from search engines or the dark web.
- Test emails may be sent to get replies from targets in order to capture signatures or look for “out of office” replies to determine when key people may be hard to reach.
- Calling and asking for information is basic social engineering that takes advantage of employees’ desire to be helpful. “I’m a new vendor and need to set up a wire transfer, who do I talk with?”
Step Two: Send the emails
Once the hacker has done the research, it’s time to send the emails. Spear phishing emails are highly targeted, sent to one or just a few carefully selected individuals and will appear from a trusted source. You might expect your anti-phishing protection to block these emails but, unfortunately, it’s fairly easy for hackers to get around this.
Typical goals of spear phishing include accessing confidential information, learning business secrets, gaining access to another company or collecting money.
One way to collect money is to first determine who is out of the office. The hacker sends emails and waits for the “out of office” reply. Then the hacker sends emails to other employees in that company, masked as that person, and asks for favors. Examples of these favors might include:
- Gift Cards – “Do me a favor, I just realized I need 10 Walmart gift cards to give out for the holidays, trade show, etc. Can you pick some up, scratch the backs to reveal the numbers and send the numbers to me?”
- New vendor – “We added a new vendor and I need to send them a $10,000. Can you help? Here are the wiring instructions.”
- Emergency – “I’m stranded without my credit cards, can you send me some gift card numbers to tide me over until they get replaced?”
What you can do to protect yourself
What can you do that you’re not already doing?
- Audit and understand your exposure.
It’s critical that your organization is aware of all the places where a hacker can gather information to aid them in their phishing attempt, then adopt policies and controls to limit your exposure.
- Adopt and enforce social media policies to limit the amount of information a spear phisher can gather. Don’t post vacations, specifics on the chain of command or security tools used by IT.
- Don’t allow use of personal mail for company business. A “request” that appears to come from your boss’ personal account should be ignored.
- Flag all external mail. Any mail that appears to come from within the company, but has an “external” flag is immediately identifiable as fake.
- Enable advanced security policies on email protection (note: these may require a substantial effort in on-going administration):
- Restrict the use of “Out of Office” replies to external emails. This is an easy way for phishers to learn when the CEO is out, and when they’ll be back.
- Implement and enforce strong controls on the transfer of money or purchase of gift-cards. Require some form of authentication.
- Train employees to recognize social engineering calls or requests. The most important tool in the anti-phishing toolbox is regular training and testing of employees. The easiest way to do this is to use a service to send unannounced phishing emails to see who “clicks.” In the programs that we administer to our clients at RESULTS Technology, we typically see about a 15% click rate before training and a 5% click rate after training. RESULTS provides this service to clients and non-clients. Click here for more information.
Spear phishing is a common and very real threat but there are things you can do. Adopting policies that restrict public information, deploying phish blocking technology and training your employees are all part of a comprehensive plan that can help your company avoid becoming the next victim.
About the author
Mike Gilmore is Chief Compliance and Security Officer at RESULTS Technology. He has over 25 years’ experience in IT as a developer, administrator, CIO, and consultant. He can be reached at firstname.lastname@example.org.